Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f891e723 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Resolve custom printer icon boundary exploit." into sc-dev am:... 

Merge "Resolve custom printer icon boundary exploit." into sc-dev am: 5f83b305 am: 2abcf8bb am: 9f168252

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/24112147



Change-Id: Iee956ee5c9b336c7e30a0cadc8d70294bfa40515
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents ceacb727 9f168252

services/print/java/com/android/server/print/PrintManagerService.java

+34 −1
Original line number Original line Diff line number Diff line
@@ -254,12 +254,45 @@ public final class PrintManagerService extends SystemService { 
            }

            }

            final long identity = Binder.clearCallingIdentity();

            final long identity = Binder.clearCallingIdentity();

            try {

            try {

                return userState.getCustomPrinterIcon(printerId);

                Icon icon = userState.getCustomPrinterIcon(printerId);

                return validateIconUserBoundary(icon);

            } finally {

            } finally {

                Binder.restoreCallingIdentity(identity);

                Binder.restoreCallingIdentity(identity);

            }

            }

        }

        }





        /**

         * Validates the custom printer icon to see if it's not in the calling user space.

         * If the condition is not met, return null. Otherwise, return the original icon.

         *

         * @param icon

         * @return icon (validated)

         */

        private Icon validateIconUserBoundary(Icon icon) {

            // Refer to Icon#getUriString for context. The URI string is invalid for icons of

            // incompatible types.

            if (icon != null && (icon.getType() == Icon.TYPE_URI

                    || icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP)) {

                String encodedUser = icon.getUri().getEncodedUserInfo();



                // If there is no encoded user, the URI is calling into the calling user space

                if (encodedUser != null) {

                    int userId = Integer.parseInt(encodedUser);

                    // resolve encoded user

                    final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);



                    synchronized (mLock) {

                        // Only the current group members can get the printer icons.

                        if (resolveCallingProfileParentLocked(resolvedUserId)

                                != getCurrentUserId()) {

                            return null;

                        }

                    }

                }

            }

            return icon;

        }



        @Override

        @Override

        public void cancelPrintJob(PrintJobId printJobId, int appId, int userId) {

        public void cancelPrintJob(PrintJobId printJobId, int appId, int userId) {

            if (printJobId == null) {

            if (printJobId == null) {